A HackBack Gaming Event

Ransomware Scenario

HackBack

Company Profile

Citum Energy Solutions

Citum Energy has grown from 0 to 200 employees and $50M in 10 years. The company does clean energy solutions and consulting with several enterprise customers and government arms. They hold some consumer PII, but are primarily focused on larger customers. Employees are a dispersed remote or hybrid workforce, primarily in Denmark but with outsourced development in India. The company has grown fast and data security matters but it has been more difficult to control as people and process become more difficult to track in this fast-moving environment.

Introductions

Everybody (IM included) introduces as real selves

Time for Pre-Game prep

Rules

  • Prior to game everybody rolls a D20 for initiative (turn)
  • We play three rounds in the same scenario
  • Each player has one turn per round
    • Can take two actions per turn
      • Talk to someone
      • Do something (or make someone else do something)
  • IM will tell you what you can do, which modifiers are active and what happened
  • At the end of each round we update company health
  • After three rounds we’ll see if your company is still open!

Company Background

  • Time in business: 10 years
  • Security Acumen: Medium importance
  • Primary Goal: Grow business 15% per year
  • Concerns: How to grow the business faster?
  • Board interaction: Medium
  • Stability: Medium

Organization

graph TD;
A[CEO]
B[COO]
C[CIO]
D[CFO]
E[CMO]
F[Ops Dir]
G[VP Consulting]
H[Consultants]
I[CTO]
J[Dev Director]
K[Dev Team]
L[SRE]
M[Sr. Network Engineer]
N[CISO]
O[Infosec Manager]
P[HR Director]
Q[HR Team]
R[Finance Director]
S[Budget Team]
T[Accounting]
U[Sales Director]
V[Sales Team]
W[IT Admin]
X[Legal - External]
Y[External Vendor]

A --> B;
A --> C;
A --> D;
A --> E;
B --> F;
F --> G;
G --> H;
C --> I;
I --> J;
J --> K;
I --> L;
L --> M;
C --> N;
N --> O;
D --> P;
P --> Q;
D --> R;
R --> S;
S --> T;
E --> U;
U --> V;
I --> W;

Tech stack

  • Web, marketing, and proprietary clean energy solution infrastructure in Azure
    • Azure virtual machines and some serverless infrastructure.
    • Website managed by third party firm.
    • Data collectors from clean energy solutions, sensors, and other IoT devices.
  • Microsoft365 IT infrastructure
    • E5, Azure AD, Intune, Teams, SharePoint, OneDrive, Office365
  • Other infrastructure includes:
    • Various SaaS applications
  • Security Stack
    • Cisco firewalls w/ VPN
    • Defender for Endpoint
    • Defender for Cloud
    • Exchange Online

Security Stack

Vendor Security tools
Tenable Nessus Vuln Scanner
Cisco Basic Firewall
Exchange Online Email security
Defender for Endpoint Endpoint Security

Company Staff

Role Status
CEO TBD
CFO Out
CMO TBD
CISO Open Role
CTO TBD
IT Admin TBD
Sys Engineer TBD
Windows Arch. TBD
ISM TBD
CLO/Vendor TBD

Round 0

Citum Press Release Party

Time: 16.05, Friday

Getting into character

Citum is having a celebration for employees after a successful press release with well-deserved media attention. Time to get in character and mingle.
Tell us something about your character. Work life. Personal life. Whatever strikes your fancy. Otherwise, I’ll be that awkward guy that asks awkward questions.

Round 1

Things that happen on a Friday afternoon…

Time: 16.50, Friday

IT Admin notices a suspicious login alert from Microsoft for an account belonging to another member of IT.

This grabs attention because this person is on vacation.

Round 1

What do you do?

Round 1

Company Health Check #1

Company Health: 100

Round 2

Things you can and can’t do!

Time: 09.20, Saturday (next day)

IT appears to have been locked out of the admin accounts for the Azure and Microsoft 365 environments.

The CEO receives a message demanding a ransom to restore access.

Round 2

What do you do?

Round 2

Company Health Check #2

Round 3

The trouble doesn’t just make itself!

Time: 09.40, Monday (two days later)

Employee workstations appear to have been encrypted and customers are calling and reporting that business services are down.

Round 3

What do you do?

Round 3

Company Health Check #3

It’s over!

It’s the darndest thing…

What’s really going on?

  • Microsoft account of IT member phished and compromised
    • Deployed remote access tool to select endpoints
    • MFA and some security features had been disabled on some accounts at the direction of the CEO
  • Elevated to Global Admin via password vault access
  • Attackers created multiple new admin accounts and reset passwords of existing admin accounts
  • While attackers contacted the CEO, endpoint ransomware was being prepared
    • Attempts to remove the attackers from the environment were incomplete
  • They also stole customer data and source code and deleted backups they could find
  • Ransomware deployed to endpoints in a further attempt to get payment

Which actions should be taken?

  • Engage Incident Response Plan
  • Investigate suspicious login and subsequent activity
  • Identify status of backups
  • Identify gaps in current configuration
  • Hire incident response firm
  • Examination of endpoint logs for unusual connections
  • Use multiple tools to form a larger picture
    • MS Sentinel partially deployed and of use, but log storage is limited due to lack of budget
  • Forensics on Azure/M365 and affected workstations
  • Engage legal counsel/DPO as data was stolen
    • Must assume breach
  • Use of communication plan
  • Completely remove attacker!

Talk Back

  • IM Observations
    • Overall, how did we do?
  • Player Self-Evaluation
    • Was the exercise a success?
  • Do Different?
    • Each person, around the table
  • Do Better?
    • Each person, around the table

Thanks for joining!